The theft of credit and debit card data from 40 million Target Corp customers could end up costing hundreds of millions of dollars, but it is unclear who will bear the expense, lawyers and industry sources said.
Target said on Thursday hackers had stolen the data of shoppers who visited its stores during the first three weeks of the holiday season. Americas's third-largest retailer said it was working with federal law enforcement and outside experts to prevent similar attacks in the future. It did not disclose how its systems were compromised.
For big data breaches, the total cost typically amounts to about $17 per account, said Larry Ponemon, whose Ponemon Institute researches data breaches. The fee includes litigation, notifying customers, replacing cards, sorting bad charges from legitimate charges, and making good on bad charges, he added.
For the Target breach, that would bring the total cost of the incident to somewhere around $680 million.
The figure is an estimate, and a number of other factors could increase or decrease the value. For example, because these data breaches took place during the holiday season, when consumers are often spending more, banks might be slower to discover fraudulent charges, which could result in the cost being higher.
It is unclear who will have to bear the cost because investigations have not yet determined who was at fault. If the breach happened at the retailer’s systems, it will likely be on the hook for the amount, lawyers said.
Target spokeswoman Molly Snyder declined to comment on whether it might bear costs of the breach, or the $680 million estimate.
The expenses could instead fall on the bank or banks processing the retailer’s transactions, or on third parties that the bank or banks subcontracted to, said David Robertson, publisher of The Nilson Report, a credit and debit card industry newsletter. It was not immediately clear which bank or banks held these roles.
Once it is clear who to blame for the breach, Target, the card-issuing banks and the card networks, including Visa and MasterCard, will hash out all of the costs that the responsible parties will bear, said an executive at one bank.
One of the biggest expenses to the company responsible will probably be reimbursing card holders. The average fraud is usually around $100 to $200 before it is caught, said Avivah Litan, an analyst at Gartner Research focusing on cybersecurity and fraud. But not all accounts that are compromised end up with fraudulent charges, she added.
There may also be fines from regulators who claim the responsible parties violated consumer protection laws.
TJX Cos, parent company of discount retailers including T.J. Maxx and Marshalls, announced in January 2007 that it had suffered from a data breach. In 2009, the company settled with 41 state attorneys general for $9.75 million. TJX’s total expenses from the breach ran into the hundreds of millions of dollars.
Massachusetts Attorney General Martha Coakley, who headed a multi-state probe into the breach at TJX, said in a statement that her office was talking to Target about the breach and how the company was addressing it. Her office also planned to work with other Attorneys General to determine whether the company had proper safeguards in place.
New York Attorney General Eric Schneiderman said in a public statement that he had asked Target for more information as well.
Whoever is responsible will also likely face class action lawsuits, but plaintiffs may struggle to win much, lawyers said. Gerry Silver, a lawyer in New York who defends companies against data breaches, said he would expect class actions to be filed but that it was a tough road to win for customers.
"The biggest hurdle is whether there are actual damages," he said. "Just because a consumer's credit card is exposed doesn't mean there's damages. If they didn't suffer monetary harm, chances are there’s no viable claim."
Jason Weinstein, a partner at Steptoe & Johnson and a former federal prosecutor, said that plaintiffs often have trouble proving they have standing to sue in a case like this.
Consumers may temporarily lose trust in the store's ability to protect their credit and debit card information, retail strategist Carol Spieckerman said. But Gartner's Litan noted that consumers tend to have short memories, and care more about discounts than security.
Target's shares fell 2.2 percent to $62.15 on Thursday.